07 May 2010 07:25 AM
Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised.
PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks.
The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page.
After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader.
The first exploit targets a vulnerability in MDAC (CVE-2006-0003), described in Microsoft Security Bulletin MS06-014. If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites.
The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action. After downloading the malicious executable, everything works as described above.
The downloaded executable is detected by 12% of antivirus products, according to VirusTotal.
WARNING: At the time of writing the front page of phpnuke.org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed.
Websense Messaging and Websense Web Security customers are protected against this attack.